FRANKFORT, Ky. — Attorney General Daniel Cameron and Auditor Mike Harmon today called on Governor Beshear and the Education and Workforce Development Cabinet to explain why the administration waited more than one month after receiving a report of a security breach within the unemployment insurance system before disclosing it to Kentuckians whose personal identifying information was compromised. The administration also failed to report the breach to the Auditor’s office and Attorney General’s office within three days as required by law until being pressed to do so.
In 2014, the Kentucky General Assembly unanimously passed House Bill 5 to require government agencies that suffer a security breach to report the breach to the Auditor, Attorney General, and Kentucky State Police within three days. The law also requires the agency to investigate the matter and inform those whose information was compromised.
“Kentuckians have suffered incredible financial hardship as a result of COVID-19, resulting in nearly 40 percent of our workforce applying for unemployment benefits and entrusting their information to our Education and Workforce Development Cabinet,” said Attorney General Cameron. “The Beshear Administration’s lack of transparency and failure to promptly notify Kentuckians and our office of the breach suggest carelessness and a disregard for the importance of protecting the personal and financial information of our citizens.”
“I was proud to be one of 80 co-sponsors in the House on HB 5, which was championed by the prior state auditor,” said Auditor Mike Harmon. “At that time, Kentucky was one of only four states that didn’t require their state government to notify citizens if their personal information had been compromised due to a data breach. Given how damaging identity theft can be to any of us, especially those out of work due to the pandemic, notifying those impacted by the UI breach and informing our office was imperative. It is troubling the notifications, which are supposed to happen within two to three days, took more than a month.”
On May 19, the Attorney General’s Office of Consumer Protection sent a letter to Lt. Governor Jacqueline Coleman, who also serves as Secretary of the Education and Workforce Development Cabinet, stating that the office had learned of a potential security breach. In the letter, Consumer Protection Director Chris Lewis asked Lt. Governor Coleman to confirm that such a breach had occurred and begin conducting a reasonable and prompt investigation consistent with KRS 61.933. Lewis also noted that if such a breach had occurred in April, the Beshear Administration had not complied with the law, which requires notification of the breach within three days of its occurrence.
On May 22, Education and Workforce Development Cabinet General Counsel Joanna Decker responded to Lewis’ letter and confirmed that a security breach had occurred. Decker provided Lewis with the notification form required by state law. The form, however, was incomplete and conflicted with the letter by stating that such a breach had not occurred. The Cabinet also separately notified the Auditor’s office, with a letter and reporting form containing the same discrepancy.
After separately inquiring about the discrepancy, the Attorney General’s office and the Auditor received a completed notification form, notifying the office of the breach yesterday evening, May 28, only after Governor Beshear announced the breach in his daily press conference.
“As part of our annual audit of the Commonwealth’s Comprehensive Annual Financial Report, or CAFR, we will be auditing the Unemployment Insurance program. My office will conduct its own inquiry and follow the data to wherever that may lead,” Auditor Harmon said.
“I’m disappointed that our office was met with roadblocks and delays by the Beshear Administration when we inquired about this security breach,” added Attorney General Cameron. “The people of Kentucky deserve better. Now that we have finally received the necessary information regarding this breach, more than one month after it likely occurred, our office is committed to looking into this further and doing everything we can to ensure Kentuckians are protected and provided with the resources they need if their personal information has been compromised.”
The Attorney General and Auditor urge Kentuckians who applied for unemployment insurance between March 1 and April 30, 2020, to monitor their credit and be vigilant against scams. Federal law permits Kentuckians to receive a free copy of their credit report every twelve months from the three major credit reporting agencies. To take advantage of this free program, visit annualcreditreport.com.
Any person who has knowledge of a scam is asked to notify the Attorney General’s office by calling 888-432-9257 or completing the form at ag.ky.gov/scams.